IBM released security updates for two critical vulnerabilities in its message-oriented middleware IBM MQ. The vulnerabilities, identified as CVE-2022-27780 and CVE-2022-30115, allow for security bypass and exposure of sensitive data.
The flaws were both discovered in libcurl library. The libcurl library is used by the IBM MQ server to enable HTTPURL functionality.
Affected IBM MQ products are listed as:
- LTS versions 9.0, 9.1 and 9.2
- CD versions 9.1 and 9.2
How Do the Vulnerabilities Affect?
CVE-2022-27780 is a vulnerability caused by libcurl’s cURL parser. It interprets URL separators including “%” as “/” and retrieves a false hostname in the result. An attacker could send a crafted hostname in URL to exploit this vulnerability, enabling them to bypass URL filters. The vulnerability has a CVSS score of 7.5.
CVE-2022-30115 could let an attacker bypass HSTS checks. With HSTS, cURL can be set to use HTTPS even if the URL only specifies HTTP. Suppose the trailing dot was not included when the HSTS cache was built. In that case, an attacker could send a specially crafted request with a hostname in the URL that contains a trailing dot and exploit the vulnerability to gain access to sensitive information. The opposite is also possible, with the HSTS cache having a trailing dot.
This week, IBM also has fixed a vulnerability caused by the Deserialization of Untrusted Data. Tagged CVE-2022-25647, the high severity flaw exists in the Google Gson package and affects IBM’s Sterling Connect: Direct for UNIX 220.127.116.11. An attacker could exploit it by using writeReplace() method and launch DoS attacks.
IBM Released Patches
New versions are released. Corresponding fixes are listed below:
- For LTS 9.0 and 9.1, apply iFix APAR IT40933
- For LTS 9.2, upgrade to IBM MQ 18.104.22.168
- For CD 9.1 and 9.2, upgrade to IBM MQ 9.3
See IBM’s security bulletin for more details.